ZooKeeper ACLs Best Practices: HDFS
You must follow the best practices for tightening the ZooKeeper ACLs or permissions for HDFS when provisioning a secure cluster.
-
ZooKeeper Usage:
-
hadoop-ha-hdfs zkfc automatic NameNode failover
-
-
Default ACLs:
-
hadoop-ha-world: anyone:cdrwa
-
-
Security Best Practice ACLs/Permissions and Required Steps:
-
hadoop-ha-sasl: nn:cdrwa
-
-
For secured clusters, the recommended ACL is
sasl:nn:rwcda. To set this, perform the following steps:-
Set
ha.zookeeper.acltosasl:nn:rwcdaas an advanced configuration snippet using Cloudera Manager.Configure the value from HDFS > Configuration > Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml.
-
Set
HADOOP_ZKFC_OPTSas an advanced configuration snippet using Cloudera Manager.Add the following value from HDFS > Configuration > HDFS Replication Environment Advanced Configuration Snippet (Safety Valve) for hadoop-env.sh:-Dzookeeper.sasl.client=true -Dzookeeper.sasl.client.username=zookeeper -Djava.security.auth.login.config=/etc/hadoop/conf/hdfs_jaas.conf -Dzookeeper.sasl.clientconfig=Client ${HADOOP_ZKFC_OPTS} -
On both the NameNodes, create /etc/hadoop/conf/hdfs_jaas.conf as the root user with the following contents:
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/cdep/keytabs/hdfs.keytab" principal="nn/<HOST>@EXAMPLE.COM"; };nn/<HOST>@EXAMPLE.COMmust be changed to the actual hostname and realm; for example,nn/c6401.cloudera.com@. To get the actual principal, on both the NameNodes, run the following command as an hdfs user:EXAMPLE.COMklist -k /etc/security/keytabs/nn.service.keytab. -
Stop the two ZKFCs.
-
On one of NameNodes, run the command as an hdfs user:
hdfs zkfc -formatZK -force. -
Start the two ZKFCs.
-
